British blogger discovered LG Smart TV spying on users

0
52

17:30 ET, 22 November 2013

British blogger revealed that his LG Smart TV collects and sends details about the owners’ viewing habits even if the users have activated a privacy setting.

Exactly one year ago we discussed about the possibility to exploit a vulnerability in Samsung Smart TV to penetrate our domestic network to spy on us or to serve a malware.

The British Developer and blogger DoctorBeet, announced to have discovered that his LG Smart TV is sending data about his family’s viewing habits back to the South Korean manufacturer.

It seems that the Smart TV, model LG 42LN575V, sends data back to LG servers even if the blogger has disabled the option “Collection of watching info” in the TV settings menu.

lg1

The Smart TV sends back to a non-functional URL information on channels being watched and time of vision, but the most concerning thing is that the device also collect and send to LG filenames of some media on a USB device connected to the TV.

To test the anomalous behavior DoctorBeet created a mock video file which he transferred to a USB stick, he named the file Midget_Porn_2013.avi that couldn’t possibly be confused with the TV set’s firmware. Once connected the USB to the Smart TV he verified that the filename had been transmitted in clear text to GB.smartshare.lgtvsdp.com.

lg2

Not all filenames present on USB devices were transmitted but DoctorBeet wasn’t able to find out the principle that governs the practice.

“Sometimes the names of the contents of an entire folder were posted, other times nothing was sent. I couldn’t see what rules controlled this.”

DoctorBeet noted that the URL contacted by the Smart TV with a POST requests doesn’t exist, for this reason he received HTTP 404 responses from LG’s server after the ACK.

Even if the URL doesn’t reply it could be used by LG in the future to enable the collection of users’habit for commercial use, for example to provide customized content and ad.

LG Smart Ad collects and analyzes users’ favorite programs, online behavior, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances for women.

“Note in particular that it means *nothing* that the script returns a 404: The information may still be in their logs – collecting information this way without actually having anything at the endpoint is an old practice, and more efficient on server resources than making the web server execute anything.”

“However, despite being missing at the moment, this collection URL could be implemented by LG on their server tomorrow, enabling them to start transparently collecting detailed information on what media files you have stored. It would easily be possible to infer the presence of adult content or files that had been downloaded from file sharing sites.” reported the blog post.

DoctorBeet decided to contact LG that replied that the behavior respects the Terms and Conditions for the Smart TV, the company also suggested that he take up the issue with the retailer who sold him the set.

Thank you for your e-mail.

Further to our previous email to yourself, we have escalated the issues you reported to LG’s UK Head Office.

The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer.  We understand you feel you should have been made aware of these T’s and C’s at the point of sale, and for obvious reasons LG are unable to pass comment on their actions.

We apologise for any inconvenience this may cause you. If you have any further questions please do not hesitate to contact us again.

Kind Regards

Tom

LG Electronics UK Helpdesk
Tel: 0844 847 5454
Fax: 01480 274 000
Email: cic.uk@lge.com

UK: [premium rate number removed] Ireland: 0818 27 6954
Mon-Fri 9am to 8pm Sat 9am-6pm

Sunday 11am – 5pm

The Information Commissioner’s Office declared to the BBC it is investigating on the issue.

“We have recently been made aware of a possible data breach which may involve LG Smart TVs,” said a spokesman.

“We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

LG clarified to the BBC , saying that the company is investigating the complaint:

As for why this particular LG Smart TV is collecting data in the first place, DoctorBeet cites a corporate video aimed at potential advertising partners. The lengthy clip includes claims such as:

“Customer privacy is a top priority at LG Electronics and as such, we take this issue very seriously,” 

“We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.” “LG offers many unique Smart TV models which differ in features and functions from one market to another, so we ask for your patience and understanding as we look into this matter.” 

DoctorBeet closes the post suggesting how to stop data trasmission, he has identified and blocked 7 domains used to collect users’ data:

  • ad.lgappstv.com
  • yumenetworks.com
  • smartclip.net
  • smartclip.com
  • smartshare.lgtvsdp.com
  • ibis.lgappstv.com

 

Pierluigi Paganini

(Security Affairs – Smart TV, cyber espionage)

rsa-logo